On 11/27/07, ronnie sahlberg <ronniesahlberg at gmail.com> wrote:
> Are there any differences in how the request pdu is constructed,
> extra flags in KDCOptions or similar or extra flags
> in the preauthentication header ?
> when it requests a http service ticket compared to a cifs ticket?
Hi Ronnie,
TGS-REQs are:
Realm: W.NET
Name: HTTP/ls1.w.net
Name type: Service and Instance (2)
KDCOptions: Forwardable, Renewable
Realm: W.NET
Name: cifs/dc1.w.net
Name type: Service and Instance (2)
KDCOptions: Forwardable, Renewable
Both requests are from the same XP machine to Windows 2003 Server.
> If you decrypt the tickets with wireshark, make sure to check all the
> bytes in the hexdump in there in case it "skips" something unknown.
Yeah, I scaned over the whole PAC looking for the hex values of RIDs
for DLGs the user is in. But what is more compelling is that when I
add and remove the user to and from a Domain Local group the
HTTP/ls1.w.net TGS-REP's size does not change whereas for
cifs/dc1.w.net it's size does change by 40 bytes for each DLG.
> So, when you add two DLGs then it changes by 80 bytes in size?
Yup. Exactly.
> In an all w2k environment I recall that the client will request a http
> ticket by specifying that it wants constrained-delegation.
> Maybe this affects what gets stored inside the pac?
The Contrainted Delegation flag in the KDCOptions field is not set in
either TGS-REQ so I don't think DC is involved.
I think maybe AD is selectively leaving out Domain Local groups for
HTTP service tickets. Maybe because authentication occurs with every
single request they're tyring to speed things up.
Mike
> On Nov 27, 2007 7:10 PM, Michael B Allen <ioplex at gmail.com> wrote:
> > On 11/26/07, Michael B Allen <ioplex at gmail.com> wrote:
> > > Hi,
> > >
> > > I'm doing some network analysis of Windows 2003 Server and I've
> > > noticed that Domain Local Groups are not in the PAC. Is that right?
> > > All the docs seem to indicate that DLGs should be in the PAC but I've
> > > captured some TGS-REPs for HTTP session tickets and they're not.
> >
> > The size of the TGS-REP for a cifs ticket changes by 40 bytes when a
> > Domain Local group is added or removed. For an HTTP ticket it does not
> > change. So it seems that DLGs are not included in HTTP session tickets
> > but they are in cifs tickets.
> >
> > Mike
> >
>
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/